Abstract

At ches 2009, Coron, Joux, Kizhvatov, Naccache and Paillier (cjknp) exhibited a fault attack against rsa signatures with partially known messages. This fault attack allows factoring the public modulus N. While the size of the unknown message part (ump) increases with the number of faulty signatures available, the complexity of cjknp’s attack increases exponentially with the number of faulty signatures.

This paper describes a simpler attack, whose complexity remains polynomial in the number of faults; consequently, the new attack can handle much larger umps. The new technique can factor N in a fraction of a second using ten faulty emv signatures – a target beyond cjknp’s reach. We also show how to apply the attack even when N is unknown, a frequent situation in real-life attacks.